#jinja2: lstrip_blocks: True

{% if keystone_federation_oidc | bool %}
    OIDCClaimPrefix                   "OIDC-"
    OIDCResponseType                  "id_token"
    OIDCProviderTokenEndpointAuth     client_secret_basic
    OIDCScope                         "openid email profile"
    {% if keystone_OIDCProviderMetadataURL %}
    OIDCProviderMetadataURL           {{ keystone_OIDCProviderMetadataURL }}
    {% endif %}
    {% if keystone_OIDCProviderIssuer %}
    OIDCProviderIssuer                {{ keystone_OIDCProviderIssuer }}
    {% endif %}
    {% if keystone_OIDCProviderAuthorizationEndpoint %}
    OIDCProviderAuthorizationEndpoint {{ keystone_OIDCProviderAuthorizationEndpoint }}
    {% endif %}
    {% if keystone_OIDCProviderTokenEndpoint %}
    OIDCProviderTokenEndpoint         {{ keystone_OIDCProviderTokenEndpoint }}
    {% endif %}
    {% if keystone_OIDCProviderJwksUri %}
    OIDCProviderJwksUri               {{ keystone_OIDCProviderJwksUri }}
    {% endif %}
    OIDCSSLValidateServer             {{ keystone_OIDCSSLValidateServer | ternary('On', 'Off') }}
    OIDCClientID                      {{ keystone_OIDCClientID }}
    OIDCClientSecret                  {{ keystone_OIDCClientSecret }}
    OIDCCryptoPassphrase              {{ keystone_OIDCCryptoPassphrase }}
    OIDCRedirectURI                   {{ keystone_proto }}://{{ keystone_public_address }}:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect

    <LocationMatch /v3/auth/OS-FEDERATION/websso/oidc>
      AuthType openid-connect
      Require valid-user
    </LocationMatch>

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
      AuthType openid-connect
      Require valid-user
    </LocationMatch>
{% endif %}
